Multinational engineering firm Maire Tecnimont goes passwordless
About our customer Marie Tecnimont
Maire Tecnimont is a multinational group with a highly technological DNA. As an International leader in the field of plant engineering (mainly in the hydrocarbon sectors of petrochemical engineering and refining, and fertilizers), Maire Tecnimont manages large turnkey engineering, procurement, and construction (EPC) projects. It operates in over 45 countries on four continents.
The challenge: Become passwordless to improve security and user experience
Maire Tecnimont desired to become a passwordless company in order to improve both security and user experience. A simplified UX that matched currently deployed infrastructure, including physical access, application security attestation, and strong administration capacity across its IT map was mandatory. A desired deployment scenario would allow a user authentication method for Microsoft Windows and Active Directory session access, web apps, access to printers, as well as authentication to NFC-enabled devices.
Maire Tecnimont looked into several technologies to suit their requirement for a multi-purpose solution that retained compatibility with their existing modern hardware (accessibility through hardware ports like USB A, USB C and diverse devices like Macs, PCs, Android-based, etc.). Highly desirable was a single tool to associate user identity.
The YubiKey was initially chosen for its capacity to address a large variety of use cases; Windows login via the smartcard functionalities, Office 365 using native FIDO2, and other web applications, as well as physical access to buildings and lockers. Two technologies are available for lockers: NFC tags and FIDO2. FIDO2 would allow locker access management in all Maire Tecnimont offices around the world.
A trial deployment started in April 2019 for a first group of 500 users. After a successful initial roll-out, Maire Tecnimont decided to expand the deployment to another 2,500 users to be equipped through 2019.
The solution: YubiKeys support industry standards and strong authentication
Maire Tecnimont chose to deploy the YubiKey 5 NFC. This device’s unique ability to support a large variety of open standards over USB and NFC made it possible to address all the use cases needed where a strong authentication was required.
Maire Tecnimont started by leveraging the Smartcard capability of the YubiKey to enable a passwordless, secure login experience in their Microsoft Windows environment. Users plug their YubiKey, enter their PIN code and upon authentication they are permitted to access their Windows session, and subsequently access business applications through Single Sign On. Processes were created for user’s key enrollment, revocation and temporary access, all leveraging Microsoft native support for the YubiKey role as a Smartcard device. Additionally leveraging FIDO2 capabilities users also have the possibility of accessing their Office 365 applications in a passwordless mode even from non-managed computers.
The same tokens used for securing access to IT assets are also used to grant physical access to Maire Tecnimont facilities, locker rooms and printers, via the YubiKey NFC interface. Plans now include expanding the protected user base from 500 to 3000 in 2019, and to finally equip all 8000 Maire Tecnimont employees in 2020.
“Yubico allowed Maire Tecnimont to start their deployment with perfect timing, totally aligned to their rollout plans. We are looking forward to bringing this project into 2020, turning Maire Tecnimont in a state of the art passwordless company.”
The results: Improved user experience and reduced support costs
- Users understand the responsibility of their unique user identity, which for the first time was related to a physical object, a token and keeping the PIN code reserved, a process similar to credit card use.
- Improvement in the user experience with the ability to remove passwords, as well as using one device for all authentication purposes
- A 25% reduction in support tickets for account/password management.
- Future-proof solution for integration with Microsoft Webauthn protocol when released
- Ability for users to keep the same YubiKeys already issued for Smartcard authentication, and start using them for FIDO2 authentication.